P. 1
Brink's Internal Audit

Brink's Internal Audit

|Views: 8,209|Likes:
Published by kepler!

More info:

Categories:Topics, Art & Design
Published by: kepler! on May 12, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





While all major computer operations and key applications should be subject to reg-
ular reviews, the typical internal audit organization does not have the resources or
the time to regularly review the controls for all of its IT applications. There will be
just too many given the limited time, the relative risks, and audit resources avail-
able. In addition, many of these applications represent a minimal level of control
risk. As part of a specific operational review or as part of a general information
systems control review, internal audit should select only the more critical appli-
cations for review.

The audit process for selecting these applications should be again based on
relative risk following the selection procedures outlined in Chapter 5, “Under-
standing and Assessing Risks: Enterprise Risk Management.” Because information

c21.fm Page 523 Wednesday, December 1, 2004 11:06 AM



systems applications are so critical to all organization operations, internal audi-
tors often receive specific requests to review application controls. Some of the
factors that may affect internal audit’s decision to select one specific application
over another may include:

•Management Requests.Internal audit is often asked by management to
review the controls in newly installed or other significant information
systems applications due to reported problems or their strategic impor-
tance to the organization. These management requests are not always
made for the correct reasons. For example, sales analysis reports may
appear to be incorrect due to bad data submitted from a reporting divi-
sion, but management may consider the incorrect reports to be a “com-
puter problem” and request an internal audit application review. Internal
audit may not initially be aware of such user input problems and may
perform normal review procedures. When internal audit is aware of such
mitigating circumstances, audit test strategies should be modified prior to
starting the review.

•Preimplementation Reviews of New Applications.In many instances, inter-
nal audit should become involved in reviewing new applications before
they are placed in production. This is true whether an application is an in-
house-developed application or a purchased software package. Strategies for
internal audit preimplementation reviews are discussed in Section 21.8 (a) of
this chapter.

•Postimplementation Applications Reviews.For some critical applications
subject to a risk analysis, auditors may also want to perform a detailed
applications review some time shortly after the actual system implemen-
tation. If an application has sufficient financial and operational control
significance, internal audit may want to schedule at least limited control
reviews on an ongoing basis.

•Internal Control Assessment Considerations.Chapter 6 discussed the need
for evaluating and testing internal controls as part of the SOA Section 404
process. A computer application control assessment is an important part
of that overall Section 404 evaluation. Internal auditors are often given
the responsibility for understanding, documenting, and testing specific
information systems application controls. The results of that internal
audit work will provide a basis for the external auditors in their SOA
attestation processes.

•Other Audit Application Selection Criteria.There are many other reasons
why internal audit may select one application over another for a detailed,
internal control–oriented review. These are in addition to those discussed
here and in Chapter 5, on audit risk, and may include some of the follow-
ing considerations:

Does the application control significant assets?

Does the application’s performance represent a significant risk expo-
sure for the organization?

c21.fm Page 524 Wednesday, December 1, 2004 11:06 AM



Is the application a strategic system for organizational decision making?

Does the application support a function that will be reviewed later as a
scheduled internal audit operational review?

Have significant changes been made to the application system that
were not part of any preimplementation audits?

Have there been significant personnel changes in the departments or
functions using the application?

Internal audit is typically faced with requests for reviews of a large number of
application candidates at any time, and care should be taken in documenting the
reasons for selecting one application over another. This will help if internal audit
is questioned subsequent to completing a series of reviews. Audits of the controls
over representative IT applications are sometimes included as part of a general
control review of the information systems function. Internal audit should develop
a detailed understanding of the general controls surrounding information sys-
tems operations as discussed in Chapter 19,and then review the controls sur-
rounding one or more selected applications.
Internal auditors often perform reviews of the specific applications that
support an overall functional area. For example, internal audit may schedule a
combined operational and financial review of the purchasing department. This
may also be the appropriate time to review the application controls for the
major automated purchasing systems supporting that department. In this inte-
grated audit approach, internal auditors can concentrate on both the more tech-
nical issues surrounding the applications and on other supporting operational

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->